Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/21/2021
05:55 PM
50%
50%

Software-Container Supply Chain Sees Spike in Attacks

Attackers target companies' container supply chain, driving a sixfold increase in a year, aiming to steal processing time for cryptomining and compromise cloud infrastructure.

Typosquatting and credential stuffing are two of the most common ways that attackers are attempting to target companies' container infrastructure and the Docker-image supply chain, with attacks climbing nearly 600% in the second half of 2020 compared with the same period a year ago. That's according to a report released by cloud-native security provider Aqua Security on June 21.

Related Content:

Malicious or Vulnerable Docker Images Widespread, Firm Says

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Security Certifications to Seek Out This Summer

Many attackers use passive scanning, utilizing services such as Shodan or tools such as Nmap to find servers hosting the Docker daemon or the Kubernetes container orchestration platform, attempting to attack those platforms using stolen credentials or vulnerabilities, according to the report. Another popular attack uses typosquatting — creating image names similar to legitimate images — and vanilla images that have a variant of a popular image, such as Alpine Linux, attempting to benefit from developer mistakes.

When attackers gain access, they most often install cryptominer software or attempt to escape the container and compromise the host system, says Assaf Morag, lead data analyst at Aqua Security.

"Attackers are constantly looking for new techniques to exploit containers and [Kubernetes]," he says. "They usually find an initial access to these environments and try escaping to the host and collect credentials, insert backdoors, and scan for more victims."

As companies move more of their infrastructure to the cloud, attackers have followed. A study of the publicly available images on Docker Hub conducted late last year found that 51% of the images had critical vulnerabilities and approximately 6,500 of the 4 million latest images — about 0.2% — could be considered malicious. 

In addition, the developers who create and use containers often do not focus on security. A survey of 44 software images specifically used in neuroscience and medical data science found that a container built from the images had more than 320 different vulnerabilities on average

The attackers know that misconfigurations are common and have used a variety of techniques to scan more frequently, the Aqua Security report states.

"This technique is very effective because the attackers use the infected hosts for the scanning operation, increasing the frequency of scanning activity and the chances of finding misconfigurations promptly," according to the report. "Some adversaries continue to use public search engines, such as Shodan or Censys, while others use scanning tools such as Masscan."

In one example of typosquatting, the company found an image by the name of "Tesnorflow," an attempt to profit from any misspellings of the well-known TensorFlow machine-learning package. Many data scientists use the container and may not pay attention to misspellings in the name, says Morag.

"If you are a data scientist who accidentally pulls and runs a Tesnorflow container image, you will also execute a cryptominer," he says. "We reported that to Docker Hub and they immediately removed it."

In another case, Aqua Security discovered that a legitimate organization had hosted a malicious JavaScript package in its public Docker Hub registry, the online service from which you can pull and run various applications. 

"It actually stole credentials and exfiltrated this data," the company says in the report. "We immediately informed this company and they have remediated this security issue."

Overall, attackers are using a greater number of images — an average of 3.78 per day — than the year before, and a greater number of attacks, 97 in the second half of 2020, up from 13 the same period the year before. A new honeypot is hit with its first attack within five hours, the report states.

Aqua Security's honeypots also detected attacks that attempt to use Kubernetes and automated build pipelines to build an application on a vulnerable server using images. Anti-defensive measures varied from the simple — such as packing executables to avoid signature scanners — to the more complex‚ such as disabling security measures and running code only in memory. 

In 2021, attackers' focus appears to be shifting from compromising single containers and shifting to clusters of containers managed by Kubernetes, or K8s. The benefit for the attacker is expanding the scale of the eventual impact, Morag says.

"From the attacker’s perspective, the attack surface is bigger, securing K8s clusters is a bit more challenging, and if the attacker manages to find and attack a cluster, he has far more opportunities to gain from the attack," he says. "For instance, K8s allows attackers to execute multiple containers, so instead of a single cryptominer, he can run dozens and possibly come across more credentials and secrets."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3903
PUBLISHED: 2021-10-27
vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-41191
PUBLISHED: 2021-10-27
Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website....
CVE-2021-1115
PUBLISHED: 2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs, where an attacker with local unprivileged system access may cause a NULL pointer dereference, which may lead to denial of service in a component beyond the vulnerable co...
CVE-2021-1116
PUBLISHED: 2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash.
CVE-2021-1117
PUBLISHED: 2021-10-27
Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an attacker through specific configuration and with local unprivileged system access may cause improper input validation, which may lead to denial of service.